Empty LdapException.ServerErrorMessage on Linux

[k-t]

Sorry, I'm not sure how to properly reopen existing issue which was closed due to inactivity.

Basically, I have the same issue as in #70210.

I'm trying to handle the case where Active Directory user enters correct credentials but his password was either reset or expired. I can rely on LdapException.ServerErrorMessage on Windows where it provides details like:

80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 773, v1db1

But on Linux this property is always empty. I can't rely on LdapException.ErrorCode since it always equals to 49 (LDAP_INVALID_CREDENTIALS) which is expected.

I've checked both 7.0 and 8.0.0-preview.1.23110.8 versions of System.DirectoryServices.Protocols with the same result.

It seems that the issue stems from the usage of LdapOption.LDAP_OPT_SERVER_ERROR here even though it is mentioned it's not supported on Linux (here).

Replacing it with LdapOption.LDAP_OPT_ERROR_STRING allows to get the desired error message from Active Directory on Linux.

Would it be possible to use LdapOption.LDAP_OPT_ERROR_STRING in LdapSessionOptions for Linux? Or to add some other way to get that information if this change can break existing code for LDAP servers other than AD?

[ghost]

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014 See info in area-owners.md if you want to be subscribed.

Issue Details

---

Sorry, I'm not sure how to properly reopen existing issue which was closed due to inactivity. Basically, I have the same issue as in #70210. I'm trying to handle the case where Active Directory user enters correct credentials but his password was either reset or expired. I can rely on LdapException.ServerErrorMessage on Windows where it provides details like: ``` 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 773, v1db1 ``` But on Linux this property is always empty. I can't rely on LdapException.ErrorCode since it always equals to 49 (LDAP_INVALID_CREDENTIALS) which is expected. I've checked both 7.0 and 8.0.0-preview.1.23110.8 versions of System.DirectoryServices.Protocols with the same result. It seems that the issue stems from the usage of `LdapOption.LDAP_OPT_SERVER_ERROR` [here](https://github.com/dotnet/runtime/blob/a923c64/src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapSessionOptions.cs#L507) even though it is mentioned it's not supported on Linux ([here](https://github.com/dotnet/runtime/blob/a923c64/src/libraries/Common/src/Interop/Interop.Ldap.cs#L134)). Replacing it with `LdapOption.LDAP_OPT_ERROR_STRING` allows to get the desired error message from Active Directory on Linux. Would it be possible to use `LdapOption.LDAP_OPT_ERROR_STRING` in LdapSessionOptions for Linux? Or to add some other way to get that information if this change can break existing code for LDAP servers other than AD?

Author:	k-t
Assignees:	-
Labels:	`area-System.DirectoryServices`
Milestone:	-

[buyaa-n]

Replacing it with LdapOption.LDAP_OPT_ERROR_STRING allows to get the desired error message from Active Directory on Linux.

Would it be possible to use LdapOption.LDAP_OPT_ERROR_STRING in LdapSessionOptions for Linux? Or to add some other way to get that information if this change can break existing code for LDAP servers other than AD?

If that is the case we could have different implementations for each platform for that ServerErrorMessage method https://github.com/dotnet/runtime/blob/f516d02550e5f47d12b7d551b8b3dfcf33d8743a/src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapSessionOptions.cs#L507

I see the LdapSessionOptions.cs is a partial class that already has Windows and Linux implementations

@k-t if you interested, please feel free to put up a fix with corresponding test(s)

[s35241607]

I also encountered this problem, is there any short-term solution?